fixed office preview permission check

2025-09-07 09:51:26 +00:00 · 2015-07-08 10:33:07 +08:00
parent 2c246acf0f
commit cc225f3bb0
2 changed files with 7 additions and 6 deletions
--- a/seahub/templates/snippets/office_convert_js.html
+++ b/seahub/templates/snippets/office_convert_js.html
@@ -20,7 +20,8 @@ var OfficePreviewer = function(file_id, preview_token) {
            $.param({file_id: this.file_id, page: page});
    }
    this.page_content_url = function(page) {
-        return "{% url 'office_convert_get_page' obj_id %}/" + page + '.page';
+        return "{% url 'office_convert_get_page' obj_id %}/"
+            + page + '.page?office_preview_token=' + this.preview_token;
    }

    var url = window.location.href;
--- a/seahub/views/file.py
+++ b/seahub/views/file.py
@@ -1382,11 +1382,11 @@ def office_convert_get_page(request, path, internal=False):
        return HttpResponseForbidden()

    file_id = m.group(1)
-    # if path.endswith('file.css'):
-    #     pass
-    # else:
-    #     if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
-    #         return HttpResponseForbidden()
+    if path.endswith('file.css'):
+        pass
+    else:
+        if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
+            return HttpResponseForbidden()

    resp = get_office_converted_page(request, path, file_id, internal=internal)
    resp['Content-Type'] = 'text/html'